Hackers Hijack OpenMetadata Apps in Kubernetes Cryptomining Attacks


For Kubernetes clusters to be exploits by these high-severity and critical vulnerabilities, the environment must be internet-facing and must be using an outdated version before 1.3.1 which included a patch for these vulnerabilities. Environments could be easily exploited under these conditions

Security researchers at Microsoft recently discovered a malware campaign exploiting new critical vulnerabilities in OpenMetadata to compromise Kubernetes environments, gain access to Kubernetes workloads and abuse them for malicious cryptomining activity. OpenMetadata is an open-source platform designed to manage metadata across various data sources. It serves as a central repository for users to discover, understand, and govern their data. Multiple vulnerabilities in OpenMetadata were published on March 15th, 2024 which affect versions prior to 1.3.1 and can be utilized by threat actors to bypass authentication and perform remote code execution: CVE-2024-28255, CVE-2024-28847, CVE-2024-28253, CVE-2024-28848, CVE-2024-28254. Microsoft Threat Intelligence has tracked and observed active exploitation of these vulnerabilities since early April.

To gain initial access, the attackers are likely identifying Kubernetes workloads that are exposed to the internet and are then targeting those workloads until they find an outdated vulnerable version to then exploit, leveraging vulnerabilities mentioned earlier. Once the threat actor gains code execution capabilities on the container that runs the vulnerable OpenMetadata image, they perform reconnaissance by trying to validate the successfulness of their intrusion by sending ping requests to certain domains. These domains allow them to determine the compromised system's network activity without triggering suspicious network traffic alerts. The threat actor continues with reconnaissance, finding information about the victim environment and sensitive data like credentials that could assist them with lateral movement to additional resources. Afterward, they deliver and run the cryptomining malware from a remote server in China which houses additional cryptomining campaign malware made for Linux and Windows OS. This malware elevates the attacker’s permissions and then they remove the initial payloads they dropped.

Security Officer Comments:
This attack is an important reminder of why it’s critically important to remain compliant and run fully patched workloads in containerized environments. As a central repository for managing metadata, these OpenMetadata Kubernetes environments are highly incentivized targets, mainly for the theft of sensitive data and in this particular campaign, for underlying computational power.

Suggested Corrections:
To secure your cluster, administrators who run OpenMetadata workload in their cluster need to make sure that the image is up to date. If OpenMetadata should be exposed to the internet, make sure you use strong authentication and avoid using the default credentials.

To get a list of all the images running in the cluster run this command:

kubectl get pods --all-namespaces -o=jsonpath='{range .items[]}{.spec.containers[].image}{"\n"}{end}' | grep 'openmetadata'

If a pod with a vulnerable image is found, make sure to update the image version to the latest version.

Known IOCs for this campaign have been published by Microsoft Threat Intelligence in their blog post.